Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 19th, 2008

Above 300,000 More Websites Compromised Targeting Chinese Users

Series of mass compromises continue and, according to Trend Micro, just a week after half a million websites were compromised, another mass web SQL injection hit more websites in the Chinese language. This malicious activity deliberately targets users from China, Taiwan, Singapore, and Hong Kong. Currently Google search results show around 300,000 pages that contain the malicious JavaScript code, among them, as usual, many government and educational sites.

Screenshot from Google (do not visit those sites):

Users visiting any of the compromised sites would be infected by a malicious script installed on their system. The script, detected as JS_IFRAME.AC, may be downloaded from the remote site http://s.****.us/s.js.

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in web.The following exploit routines are performed by JS_IFRAME.AD:

1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow (Chinese-language software)
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer (Chinese-language software)

These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:

http://********.cn/real11.htm – detected as JS_REALPLAY.AT
http://********.cn/real.htm – detected as JS_REALPLAY.CE
http://********.cn/lz.htm – detected as JS_DLOADER.AP
http://********.cn/bfyy.htm – detected as JS_DLOADER.GXS
http://********.cn/14.htm – detected as JS_DLOADER.UOW

Additional detected scripts downloaded by JS_IFRAME.AD are VBS_PSYME.CSZ, JS_VEEMYFULL.AA, JS_LIANZONG.E, JS_SENGLOT.D.

These four malware, in turn, download and execute http://******, which is detected as TROJ_DLOADER.KQK.

The research was conducted by Senior Threat Analyst Aries Hsieh, a team of researchers from Trend Micro and consolidated findings of the Research (Taiwan), Escalation, and Threat Response teams at TrendLabs.

Trend Micro is trying to reach Taiwan CERT to inform them of this mass compromise.

Share this item with others:

More on CyberInsecure:
  • More Websites Are Compromised, This Time Avoiding Chinese Websites And Users
  • One Of CNN Sports Websites Hacked By Chinese Anti-CNN Group
  • White House Network Hacked By Chinese On Multiple Occasions
  • Targeted Malware Attacks Exploiting Internet Explorer 7 Vulnerability
  • Android Market Security Update Released By Google Contained Mobile Trojan

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Above 300,000 More Websites Compromised Targeting Chinese Users

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.